Krebs on Security

In-depth security news and investigation

Harbortouch is Latest POS Vendor Breach

Last week, Allentown, Pa. based point-of-sale (POS) maker Harbortouch disclosed that a breach involving “a small number” of its restaurant and bar customers were impacted by malicious software that allowed thieves to siphon customer card data from affected merchants. KrebsOnSecurity has recently heard from a major U.S. card issuer that says the company is radically downplaying the scope of the breach, and that the compromise appears to have impacted more than 4,200 Harbortouch customers nationwide.

In the weeks leading up to the Harbortouch disclosure, many sources in the financial industry speculated that there was possibly a breach at a credit card processing company. This suspicion usually arises whenever banks start feeling a great deal of card fraud pain that they can’t easily trace back to one specific merchant (for more on why POS vendor breaches are difficult to pin down, check out this post.

Some banks were so anxious about the unexplained fraud spikes as stolen cards were used to buy goods at big box stores that they instituted dramatic changes to the way they processed debit card transactions. Glastonbury, Ct. based United Bank recently included a red-backgrounded notice conspicuously at the top of their home page stating: “In an effort to protect our customers after learning of a spike in fraudulent transactions in grocery stores as well as similar stores such as WalMart and Target, we have instituted a block in which customers will now be required to select ‘Debit’ and enter their ‘PIN’ for transactions at these stores when using their United Bank debit card.”

A notice to customers of United Bank.

In a statement released last week to KrebsOnSecurity, Harbortouch said it has “identified and contained an incident that affected a small percentage of our merchants.”

“The incident involved the installation of malware on certain point of sale (POS) systems,” Harbortouch said in a written statement. “The advanced malware was designed to avoid detection by the antivirus program running on the POS System. Within hours of detecting the incident, Harbortouch identified and removed the malware from affected systems. We have engaged Mandiant, a leading forensic investigator, to assist in our ongoing investigation.”

The company said the incident did not affect Harbortouch’s own network, nor was it the result of any vulnerability in the PA-DSS validated POS software.

“Harbortouch does not directly process or store cardholder data,” the company explained. “It is important to note that only a small percentage of our merchants were affected and over a relatively short period of time. We are working with the appropriate parties to notify the card issuing banks that were potentially impacted. Those banks can then conduct heightened monitoring of transactions to detect and prevent unauthorized charges. We are also coordinating our efforts with law enforcement to assist them in their investigation.”

However, according to sources at a top 10 card-issuing bank here in the United States that shared voluminous fraud data with this author on condition of anonymity, the breach extends to at least 4,200 stores that run Harbortouch’s point-of-sale software.

Reached for comment about this claim, Harbortouch reiterated that the malware incident impacted a small percentage of its merchants.

“It was nowhere near all of our customers, that is simply a false statement” said Nate Hirshberg, marketing director at Harbortouch, declining to answer questions about how many locations the company serves. “This malware incident impacted individual merchant locations, not Harbortouch. Harbortouch is not a processing platform, not a gateway and we do not store any cardholder data. This is not an ongoing incident and the malware was eliminated rapidly upon detection.”

One thing is for sure: POS providers — and their myriad customers — have a massive target on their backs, and there are almost certainly many other POS companies that are dealing with similar problems. Stay tuned for further updates.

This entry was posted on Friday, May 1st, 2015 at 1:57 am and is filed under A Little Sunshine, Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

It depends on the bank and the amount you have in your account(s),
My bank, actually a S&L, has a $1000 daily withdrawal limit.
Also, I restricted ATM withdrawal to my checking account, with no “overdraft” coverage from my other accounts.

I believe that the PIN is encrypted at the PED in such a way that the merchant doesn’t even see it – I think it’s like end to end encryption basically. Anyone confirm? There are downsides to fraud on debit card side when it occurs, but specifically regarding losing your PIN, I don’t think it’s putting it at risk.

BUT – Any use of a Debit card puts you the consumer at risk of disruption if the number is lifted and used for fraud. It comes right out of your bank account and could disrupt payment of bills etc. Never use debit in anything other than an ATM, credit cards have better protection and if there is fraud you don’t have to worry while the bank and merchant figure it out, its not your problem, other thank checking your statement and reporting charges that aren’t yours.

It is true that debit PIN entry has been subject to a form of end-to-end encryption for a long time now… at least a decade if my memory serves.

Each debit PIN entered in the US is encrypted with a unique key per transaction. The decryption happens at the merchant’s processing bank and then the decrypted PIN is processed from that point to the cardholder’s issuing bank.

United Bank’s approach to shut down signature-based transactions on their debit cards is the correct one to take, in my opinion but it IS a radical solution. That alone would tell me that the breach is significant.

The ridiculous thing here is that the company seems to be saying (once again) – it wasn’t a flaw in our SOFTWARE – when the issue is that it was that the malware installed on the PC is able to do memory scraping.

These POS vendors that cater to small businesses really do have a large target on their backs. It is difficult for them to get small businesses to recognize the need to update equipment and security standards.

I’m not forgiving their handling of this if Brian’s reports are correct. They help NO ONE but the criminals by minimizing the scope in their public statements.

The problem is that a PIN is only 4 digits and each digit from range 0-9. Now, I understand it is encrypted and not hashed, so one cannot just brute force it without the key. But how secure is that key?

It’s line of defense is a strong and most importantly unknown key. So is it unique per card, unique per bank or unique per transaction? In the latter case how is the key generated and exchanged.

If I have to enter my debit PIN on an online transaction, I probably use a different card. (I wouldn’t use a debit card online anyway, but for the sake or argument.)

That’s why I wrote “you cannot brute force it WITHOUT the key”. It is encrypted, not a hash. Also there is online and offline brute force. One doe snot always need to actually try a key to brute force it.

Hence my ask, how the key generation is. Is it unique or not? Unique per transaction, unique per bank, per card, per POS? Etc.
And if unique how is the key generated and exchanged.

Because the data is very short and very predictable, having weaknesses or non-uniqueness in keys allows for offline (!) attempts in getting the PIN decrypted.

The key is unique per terminal. It’ a Triple DES key and it’s not just a simple encryption of the PIN, it also involves the card number so that two cards with the same PIN will get different encrypted PIN values (called a PIN block). Google “ISO-0 PIN Block” and read the wikipedia entry.

I’m pretty sure they key is per terminal. I know it is per ATM and I think POS devices run the same way.

After reading into it, the key BTW is indeed per terminal, and depends typically on the cryptocraphic chip.

So in that case it looks all pretty safe indeed assuming the encryption takes place before it enters the main POS operating software (where it can be scraped). In the Target hack e.g. it did not, but I believe in many other POS it does.

Today’s PED are tamper proof, meaning any sudden jolt/shake/etc. will wipe the encryption key from the PED. If the retailer has their systems setup you can no longer use that PED for debit as there would be no way to encrypt the PIN.

Current encryption standard for PEDs are DUKPUT TDES, though there are a few exceptions to this, mainly Automated Fueling Dispensers (AFD). Unless the AFD has been upgraded in the last few years it is most likely using DUKPUT SDES.

And anyone else notice the red and crossed out https for the bank’s website? Good for them trying to protect customers, but they really should fix that certificate error…

No, not in malware breaches. The PIN number is NEVER exposed to the retailer. The PIN is encrypted on the card, and the retailer’s device reads the encrypted PIN, and sends it to the bank still encrypted, and only the bank can decrypt the PIN number. The only time PINs get compromised is when skimmers are used and they are using an alternate method like a camera to capture the PIN number.

That said, you do lose all of the fraud benefits of the Visa / MC brand on the card when you use debit, and fraud resolution falls to bank policy, and in most cases, banks will not void a PIN transaction, because the PIN is essentially authenticating it as a valid transaction.

All that said, PINs ARE vulnerable. You should NEVER stick with a standard 4 digit PIN. It is fairly trivial for the hackers to crack 4 digit PINs if they capture enough of them, as they can compare “1234” to the encrypted version, say “adje” and anytime they see a PIN that is “adje” in encrypted format, they know it is 1234. (That is a VERY oversimplified explanation, but serves the point) Just always use a 6 digit or greater PIN, that is NOT a birthday or other info you can find easily online.

Also, as Brian has covered before, if your bank supports resetting your PIN by phone, especially using an automated system, they frequently will call in after finding your SSN, DOB, address, etc and try to reset it to something they then know. You should always request your bank to put a “lock” on your account that requires your PIN to ONLY be reset in a branch, or by being mailed to you.

What does that mean in practice, Lynn? When a customer has their debit card stolen and their account gets cleaned out, you’ll probably put the money back. But what about when the customer also has hundreds of dollars of bounced check fees and other dings from third parties associated with not having sufficient funds to cover checks written? Do you also reimburse the customer that cost?

In response to Farkidoodle Doo, yes, but probably not significantly. If the POS is already infected, they’ve already got the entire magnetic stripe, and many places don’t require a PIN, especially for online transactions. My response has been to carry more cash, and minimize the use of my cards, especially at establishments where the employee walks away with your card. (Between my wife and I, we have had three cards skimmed, or otherwise had the whole magnetic stripe data stolen, and our bank blocked “card present” transactions, then replaced the cards.)

I will be using cash at all small businesses and for all small transactions from now on. I just had to get a new credit card number due to $600 in unauthorized charges, which my bank covered. I used to use cash for everything but then my bank convinced me to get a cash back card.

Maybe they should allow cash discounts, put the cash back credit cards on a level playing field with regular cash.

Interference with the free market usually does Not work out all that well.

Ridiculous. The last time I was robbed was 45 years ago, it is not something I have to think about. I don’t go to places that are risky. I go to a teller, get a few thousand in cash out and leave most of it at home, easy as pie.

I will still use a credit card at large retailers, for buying groceries, gas. But I will not be using a credit card for small purchases and at small retailers. The fewer people who have my number, the less chance I will have to go through the hassle of changing credit card numbers. And I will not be helping the thieves of the world get rich.

The situation is out of control and no one is going to magically fix it for us. Each person has to decide for themselves what they are going to do.

Being as anonymous as possible and lowering ones electronic footprint are probably a good ideas for everyone.

In my case, I make very few small transactions and very rarely buy at small retailers. It is no burden at all for me to pay cash for those and by doing that I will probably lower the number of retailers that have my credit card number by 1/3 or more.

Well, it is a hassle to have to get a new card and get it configured with all of the vendors that do automatic payment.

And then there is the question of identity theft. I don’t know the extent to which this is a legitimate concern for people who have had their credit card numbers stolen, but if it does, it can be a huge hassle to unwind.

And once place where I get gas gives me 5 cents/gallon off if I pay with cash.

I use cash at merchants I visit infrequently, or wherever the amount spent is small (less than about $15). Credit cards at those where I visit repeatedly.
Cuts down on the chanches of encountering an infected system.
The only time a credit card of mine was compromised when, violating my rule, I used the card at Michaels for a $7 purchase (all my purchases at that store are below $15).

Since POS terminals are dedicated-purpose systems that should rarely have a need for new features to be added…

WHY ON EARTH are they not rapidly deploying binary whitelisting on these? I.e. nothing not on this approved list of md5 sums will run, or at least not without a UAC prompt or equivalent, and software images are loaded into read-only parts of their address spaces.

Same defense can be applied to anything that has a fixed purpose, rather than being a truly general-purpose computer for which whitelisting would be a straitjacket. Half the stuff the US Cyber Command is horrified about would be rendered safe: power grid control systems, process control at key industries (whitelisting there would have saved the Iranians some headaches when Stuxnet came calling), and so forth.

Of course, that last item probably shows why: whitelisting has not been encouraged, or even been actively discouraged, for reasons of so-called “national security”: the NSA’s ludicrous “we have to make it insecure to secure it” philosophy. What would have been the effect of broadly pushing the adoption of whitelisting? A lot fewer of these breaches and power grid folks able to sleep soundly at night, while MAYBE Iran gets the bomb. Which they then don’t dare use, since if they did, Tehran becomes a glowing crater within the following 20 minutes.

We actually just had our PCI Pentest completed last week by a VERY GOOD security company, and by properly segmenting our PCI network and requiring 2 factor authentication to access it, they were unable to break in, even after gaining domain admin access. Once I placed the tester inside the PCI network, it STILL didnt matter, because we have whitelisting on all registers and store servers. The result was he in no way could get card data, as the control servers for the whitelisting is also protected by 2FA. It is a PAIN to administer, but works like a charm. Not even obscurificated, custom powershell exploits could be run against the registers because of whitelisting.

But the answer as to why, is security team resources, and money. Most of these retailers dont have full security teams to administer such a PITA application to manage. And if you are midsized, you likely cant easily get the money to license every register / server with whitelisting. We only were able to extend it to our registers because our AV vendor added whitelisting to a new release, so we incurred no new content.

I also dont understand why applications that reset the machine to a base config at reboot arent used more (other than the cost / security resource issue). POS’s dont change frequently, and dont need persistent storage. Programs like deepfreeze / goback / etc are GREAT for this purpose, if malware does get in, it goes away with a reboot, and you schedule your POS’s to reboot nightly, or even better, you configure your POS app to force a reboot after an employee signs off (break, shift close, store close, etc) in the same way the computers at kinkos that customers use do.

I also have a hard time understanding how POS systems in general get hacked.

I mean, in gereal a system gets hacked (if one rules out physical access) in just three ways
1) system goes to internet resource that is compromised. E.g. your webbrowser. Should not apply to POS as it only needs to contact fixed and secure servers.
2) users downloads malware and installs it. E.g. fishing email. Should not apply to POS for obvious reasons.
3) system has open ports in the firewall to which the hacker can get into.

Since POS system typically have ports open for maintenance, I guess it is (3). Also some of Krebs articles suggests this is a common way of getting into POS systems.

But if I’m missing something I would love to be educated.

The reason I ask, is that it seems not awfull hard to lock a POS down and its main weakness is the software that allows remote access.

Don’t get me wrong, all those other things are very good as well, as they contain a breach, but I’m mostly puzzled on how they get infected in the first place.

What I have found is the POS system runs on the same network as all other devices the company owns. Look at Target for proof of this. Why is the POS system on the same network as a freezer? I would place good odds that on the fact the hackers gained access to a workstation first and then through exploration found the POS system just sitting there ready to be used.

> Half the stuff the US Cyber Command is horrified about would be rendered safe: power grid control systems, process control at key industries (whitelisting there would have saved the Iranians some headaches when Stuxnet came calling), and so forth.

But then they wouldn’t have a justification for their gargantuan budget.

Whitelisting? I will ask again: “Why is this system on the public Internet in the first place?”. I don’t know the details, but I am sure there are myriad ways to prevent the bad guys’ access to the system at all, from VPN to private circuits to modem access only to firewalls, etc., etc.

Was at Walmart last evening and the buyer credit card PIN Pad terminal was now asking me for the back of the credit card security code (this was for a credit card purchase). It was quite disconcerting – cause I don’t like putting that in the hands of our often compromised lowest bidder security retailers POS POS systems.

I can see the verification angle on this – but it also puts the verification code into the POS system when that is compromised.

The Walmart Grocery by me has Ingenico terminals that look like they came from the first PCI-PED certifications. They have to have no more than 8MB of memory each. The best part of checking out is waiting for the transaction to be approved.

Application whitelisting is great, but remember you have to really secure that system or they just use it against you. If they discover whitelisting, they’ll likely white list whatever they need. At the point they’re into your CC systems you’ve probably been owned all over your environment, it’s a speed bump.

There’s no excuse for any merchant having those POS systems in the same segment as the rest of the network. The argument that it’s too expensive is hogwash. Yup, here comes the shameless plugs. I build firewalls using a small piece of hardware and Red Hat Fedora for pennies on the dollar versus the over-complicated vendor stuff. The whitelist can go right in the ruleset and the firewall can log and drop any traffic outside the whitelist. Simple and clean. All open source. Writeup right here:

Thanks for your comment, Greg. What I have not seen asked or answered in any of the reporting concerning data breaches is “Why is this data on the public Internet in the first place?”. I don’t know the details, but I am sure there are myriad ways to prevent the bad guys’ access to the data at all, from VPN to private circuits to firewalls, etc., etc.
If the answer is “convenience”, then the data stewards need to look at the price of making it easy.
My gut tells me that most of the data does not need to be as “available” as it is and that the cost of isolating would be a fraction of the cost due to breaches.

If you have an account at United Bank they are now forcing you to be at risk for card fraud by forcing you to do the transaction as a debit instead of credit. Find another bank or better yet a credit union. Don’t use a debit card for anything. If they won’t let you process as credit, there is no real benefit, just risk, all on you.

Although Harbortouch is basically saying “not my fault” “we don’t store or process payment card data”, there’s no indication of how this happened with all these merchants using Harbortouch. Was it due to the remote access they use log into these merchant’s site? Come on. There has to be a way all these merchants were hit and the commonality being Harbortouch. It’s ok to say we’re doing these things to be compliant (not storing data, etc.) but there is probably something else being done by Harbortouch that allowed their clients to be compromised.

I used to work for these people and the breach is split between the system owners and the company. the users tended to want the pos to be an free desktop pc and would hack the system so they could freely browse the web and disable the av to speed up the system or install random software that was never vetted for pci compliance. unfortunately the company tended to be cheap with securing the systems the entire deployed pos inventory is manually maintained and there is not enough staff to do normal tech support and do overnight security and software updates. remember most pos systems are running some form of windows xp embedded the few still getting updates are pos ready 2009 systems. the downside is windows xp has an very primitive compared to vista and 7’s uac. there unlikely to9 respond in the realistic point of view they have an high turnover of technical staff and the owner is having the management also running the two air fleets he owns.

Hmmm. Some misunderstanding by readers and misinformation by companies. First, this is the risk that POS companies put people at when they make card processing proprietary to their own processor. Second, Harbortouch POS does not necessarily store card data, that much is true, but the only company that you can process cards on a Harbortouch system through is HARBORTOUCH MERCHANT SERVICES. So what are they saying, “we didn’t leak your card data, that was our other division”? And if that is true, does that mean that the breach was not necessarily limited to POS customers and could also negatively impact Harbortouch clients that process on traditional terminals. Also, is there anything to the post warning customers. The bank posting is United Bank. The former name of Harbortouch was United Bank Card…. Seems a little fishy to me.

Hmmm. Some misunderstanding by readers and misinformation by companies. First, this is the risk that POS companies put people at when they make card processing proprietary to their own processor. Second, Harbortouch POS does not necessarily store card data, that much is true, but the only company that you can process cards on a Harbortouch system through is HARBORTOUCH MERCHANT SERVICES. So what are they saying, “we didn’t leak your card data, that was our other division”? And if that is true, does that mean that the breach was not necessarily limited to POS customers and could also negatively impact Harbortouch clients that process on traditional terminals. Also, is there anything to the post warning customers. The bank posting is United Bank. The former name of Harbortouch was United Bank Card…. Seems a little fishy to me.